Bug 2324540 (CVE-2024-52336) - CVE-2024-52336 tuned: `script_pre` and `script_post` options allow to pass arbitrary scripts executed by root
Summary: CVE-2024-52336 tuned: `script_pre` and `script_post` options allow to pass ar...
Keywords:
Status: NEW
Alias: CVE-2024-52336
Deadline: 2024-11-26
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-08 13:07 UTC by OSIDB Bzimport
Modified: 2025-04-11 07:38 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:10384 0 None None None 2024-11-26 15:44:33 UTC

Description OSIDB Bzimport 2024-11-08 13:07:00 UTC 
The `script_pre` and `script_post` options allow to pass arbitrary scripts that will be executed by root. The parameters are extracted in "daemon/controller.py:459", stored unmodified in a new `Instance` object and the only verification of the script path is performed in "plugins/base.py:222":

```
    if not script.startswith("/"):
        log.error("Relative paths cannot be used in script_pre or script_post. " \
                + "Use ${i:PROFILE_DIR}.")
        return False
```

So the only requirement is that an absolute path is passed. Thus scripts under control of an unprivileged user can be passed here. This allows for a local root exploit.
Comment 12 errata-xmlrpc 2024-11-26 15:44:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:10384 https://access.redhat.com/errata/RHSA-2024:10384
Note You need to log in before you can comment on or make changes to this bug.